Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create /etc/shadow if does not exist #65

Closed
wants to merge 1 commit into from
Closed

Create /etc/shadow if does not exist #65

wants to merge 1 commit into from

Conversation

jlsalvador
Copy link

@jlsalvador jlsalvador mentioned this pull request Apr 29, 2023
Closed
@jlsalvador
Copy link
Author

I wish to add a bit of context to this PR:

  • I need an "Unified Kernel Image", that will be self-signed by me, in order to boot with secure boot enabled.
  • Because of that, I installed the package dracut-hook-uefi from AUR, that its source is hosted here.
  • As you can see in this link, this script does not include the flag "--hostonly" (maybe to allow boot the .EFI from anywhere?, does not matter).
  • So I checked that dracut does not create /etc/shadow when you do not set the flag "--hostonly" as true. Check here.

So this PR will create a /etc/shadow in order to allow sshd to authorize the user root. This will fix the client-side "Permission denied (publickey)" error (issue #19).

The reason to "reopen" the issue #19 is because anyone can create a valid dracut image without the flag "hostonly", and I really think "dracut-sshd" must support this official behavior from the "dracut" project.

@gsauthof
Copy link
Owner

Hm, do you mean your dracut-hook-uefi module unconditionally overwrites the effects of a system-wide hostonly="yes" or even a dracut -f --hostonly call?

However, I remember a time when ssh public key auth did work without any /etc/shadow being present. Did that change?

@gsauthof
Copy link
Owner

gsauthof commented May 7, 2023

Ok, I tested current dracut-sshd master in combination with --no-hostonly on Fedora 37 and everything works fine:

initramfs-ssh:/root# cat /etc/shadow 
dbus:!*:19484::::::
initramfs-ssh:/root# grep 'root\|ssh' /etc/passwd 
sshd:x:74:74:Privilege-separated SSH:/usr/share/empty.sshd:/sbin/nologin
root::0:0::/root:/bin/sh
initramfs-ssh:/root# journalctl -e -u sshd
[..]
May 07 18:10:36 fedora sshd[487]: WARNING: 'UsePAM no' is not supported in Fedora and may >
May 07 18:10:36 fedora sshd[487]: Accepted publickey for root from xxx.xxx.xxx.xxx port 43>
[..]

NB: That way early boot contains a root user with an empty password.
However, our early-boot sshd only accepts public-key auth, so we are still safe.

NB: FWIW, sshd also rejects empty-password logins, by default.

Also, unlocking the encrypted device with systemd-tty-ask-password-agent still works fine.

NB: Fedora defaults to hostonly since release 19, for --no-hostonly to be effective one has to install dracut-config-generic, nowadays.

That means, as is, dracut-sshd already supports dracut running in no-hostonly mode!

Also, I think that your patch violates the principle of least surprise.

Whether or not dracut runs in hostonly mode should be a system configuration decision whose effects (such as including /etc/shadow or not) shouldn't be overridden behind the user's back in surprising ways!

Thus, I'm rejecting your pull-request.

@gsauthof gsauthof closed this May 7, 2023
@jlsalvador
Copy link
Author

Also, I think that your patch violates the principle of least surprise.

Fair enough. Np. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jlsalvador @gsauthof